TRENDING

How can you trust a cloud? Verify.

Group developing audit specs that could build faith in cloud applications

By Rutrell Yasin

May 05, 2011

The Distributed Management Task Force has formed a working group to develop a set of specifications that will let organizations audit cloud-based IT resources, regardless of their chosen cloud provider

The Cloud Audit Data Federation Work Group (CADF) will develop open standards for cloud auditing to instill greater trust for cloud hosted applications, DMTF officials said. DMTF is an industry organization that develops, maintains and promotes standards for systems management in enterprise IT environments.

The specifications will focus on audit information about IT resources as well as events and activity on those resources, said Winston Bumpus, DMTF's president. A cloud provider’s ability to provide specific audit events, log and report information on a per-tenant basis is essential.

However, “it is important to expose events and configuration changes in a standard way,” Bumpus said.

The CADF Work Group will develop specifications for audit event data and interface models and a compatible interaction model that will describe interactions between IT resources for cloud deployment models. DMTF expects a preliminary specification to be ready in the next 12 to 18 months.

The specifications developed in the CADF will combine with those developed in DMTF’s Cloud Management Working Group to provide a suite of specifications that enable interoperable cloud management between service providers.

CADF has formed alliances with other organizations such as The Open Group, Cloud Security Alliance, Object Management Group and the Storage Networking Industry Alliance to ensure alignment within the industry.

For instance, the Cloud Security Alliance has done some work on specifications related to cloud auditing and directory/namespaces that CADF members can incorporate into their specifications, Bumpus said.

The Cloud Security Alliance is strong in the area of defining security best practices while DMTF has focused on infrastructure. Working together, the organizations can forge greater interoperability between the two areas, he said.

DMTF has one of the few cloud-specific standards on the market, the Open Virtualization Format, which focuses on portability issues related to computing workloads. Additionally, DMTF is working on interoperability standards for the infrastructure-as-a-service cloud computing market.

DMTF is closely engaged with cloud standard work spearheaded by The National Institute of Standards and Technology, specifically the Standards Acceleration to Jumpstart Adoption of Cloud Computing and The Cloud Computing Standards Roadmap, Bumpus said. SAJACC is a collaborative technical initiative designed to validate interim cloud computing specifications before they become formal standards.

CADF specifications will be referenced in The Cloud Computing Standards Roadmap, Bumpus said. The document comprises an inventory of cloud-specific and cloud-relevant standards – existing and in development – that can be leveraged for cloud computing.

Cloud computing provides on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or interaction from the service provider.

Agencies are increasingly moving operations to the cloud, looking to free up data center space, cut maintenance costs and power use, increase the availability of systems for mobile users, and, above all, save money. Also, the Office of Management and Budget requires agencies to move three applications to the cloud in the next 12 to 18 months.